[bdNOG] DHCP Lease and Network Problem Help (Mohammad Shahjahan)

Brian Candler brian at nsrc.org
Thu Dec 10 14:36:34 BDT 2015

On 10/12/2015 02:42, Mohammad Shahjahan wrote:
> Thank you so much for your cordial help. Your are right the access 
> list wont work because our network provide dhcp lease through a layer 
> 3 switch with several vlan's with ip helper address ( as said.
> But there are no options to change helper ip address that because 
> there are lots of routing issue with other country's.
> So, that's why i think there are no hope to stop using GATEWAY IP 
> ADDRESS in android mobile user. We have to think about another 
> internet policy.
I don't really follow you.

Issues with how you configure your DHCP service, and issues with users 
manually configuring their own IP address to be the same as the subnet's 
gateway address, are two completely different things.

"there are no options to change helper ip address that because there are 
lots of routing issue with other country's"

I don't follow that either. The ip helper address configuration is 
entirely local to your network and is invisible both to the end-users 
and to the rest of the Internet. It just tells the router where to 
forward DHCP broadcasts to. It has nothing to do with global Internet 

There is a presentation here which includes a diagram showing how DHCP 
helper works:

Now: if you decide to make your DHCP service more resilient by adding a 
second DHCP server, you just add this into your network, and you add a 
second "ip helper-address" statement onto every VLAN. This is just a 
change made locally on your L3 switch. Like I say, no impact on routing.

The second problem is what happens if someone statically configures an 
IP address on their machine, and that IP address conflicts with another 
IP address in use. Worst case scenario, it conflicts with the router's 
IP address on that subnet.

I suggest that:

1. If you have a reliable DHCP service, there is no need for users to 
statically configure an address, ever. And once they trust the DHCP 
service, they won't even bother trying.

2. You can tell your users the policy is that they must use DHCP and are 
forbidden to configure addresses statically

3. You might be able to enforce this policy at the switch (e.g. using IP 
tracking) but it depends exactly what sort of switches and features you 
have available

4. You can monitor and detect when this problem occurs, and take action 
against the offender

But I believe that this will become very rare once you have dependable 
DHCP service.

You don't necessarily have to go with two DHCP servers. Other options 
would include making your single DHCP server more reliable (e.g. dual 
power supplies, connected to UPS); or you can run your DHCP service 
directly on the L3 switch itself, although that makes it less easy to 
manage, e.g. when you want to add a static mapping from MAC address to 
IP address.

But having two DHCP servers is a relatively cheap and simple solution; 
also they can be plugged into different switches or different ports on 
your L3 switch, so you gain redundancy against more types of failure. 
And if you run your caching DNS service on the same two boxes then you 
get resilient DNS as well.



More information about the nog mailing list